Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Hiding the low-level components behind a single facade
    • The distinction between repository and provisioning is partially hidden from the clients therefore model provides a kind of location transparency.
    • Provisioning functionality is not be exposed directly. The provisioning actions are carried out by a modification of user or account object. Therefore the model provides (partial) uniformity of access to all objects.
  • Enforce access control policies (with respect to target resources)
    • RBAC-based models will maintain roles, their definitions, etc.
    • RBAC-based models will enforce creation/deletion of accounts based on role membership
    • RBAC-based models may enforce account attributes based on role membership
    • the model may implement any mechanism to enforce policies (RuBAC, ABAC, ...) as long as it is usable and consistent.
  • Only one model can be active in a specific deployment (models cannot be mixed in the same system)
  • Maintain values of virtual attributes
    • e.g. attributes implied by role membership, organization, policy, ...
  • Handle synchronization changes
  • Manage reconciliation

Component Diagram

Image RemovedImage Added

Data Structures